Data centers need someone monitoring both the networks and the parking lot 24 hours a day, Homeland Security’s Caitlin Durkovich says.

Apr 26 2016

At Federal Data Centers, Physical Security Is the Other Half of the Cyberbattle

Network security gets the attention, but physical security at federal data centers requires the same focus.

In Loudoun County, Va., about 40 miles west of downtown Washington, D.C., sits the world’s largest concentration of data centers: more than 6 million square feet of IT real estate, with more planned.

The area is a nondescript suburb of the nation’s capital, except that it features excellent conditions for data centers: redundant water and power, broadband connectivity and a low probability of natural disasters.

From a cybersecurity perspective, it’s ideal. And a chief reason is that the federal security picture goes beyond stopping zero-day attacks and advanced persistent threats, says Caitlin Durkovich, assistant secretary of homeland security for infrastructure protection at the Department of Homeland Security.

Network security is only a part of the puzzle, she points out.

“You want to ensure that only em­ployees who need access to systems have access,” Durkovich says. “It’s not just security from bad people. You have to account for local threats like hurricanes or potential hazards from neighboring facilities in the area.”

Multiple Facets of Physical Security

Just as network security incorporates many different aspects, so does physical security. Security cameras and biometric access control systems offer agencies increased physical protection. Other safeguarding strategies include building data centers in locations not prone to natural disasters, hiring security guards and building in redundancy for power and telecommunications.

For effective physical security, agencies must think holistically, rather than focusing on a single aspect, and consider how the different components function together.

That was the approach the Labor Department recently took when it built a private cloud at a third-party data center in Silver Spring, Md. The Tier 4 multitenant facility provides multiple layers of physical security, including a crashproof fence along the property’s perimeter and a gated entryway, says Fred Whiteside, program manager for Labor’s data center consolidation program.

To enter the premises, authorized IT personnel in vehicles must place their ID badges on a card reader to open the gate. Then, once inside the parking lot, employees must go through several checkpoints to enter the building and access IT infrastructure.

Each time an employee enters an area, they must prove their identity through two-factor authentication, Whiteside says. For example, before employees can enter the locked cage that houses the department’s IT equipment, they must scan their ID cards on a card reader and have their retinas scanned.

“Guards monitor every touchpoint, and of course there are security cameras everywhere,” he says.

Overall, Whiteside says he’s impressed with the physical security of the facility, both inside and out. “The physical security is top-notch and elaborate. When I’ve visited, I haven’t seen any aspects that were lacking or could be improved.”

Getting Caught on Camera

Physical security takes many forms. Access control systems continue to grow in popularity. They range from employee badge readers and keypads to biometric systems, such as fingerprint readers, iris scanners and facial recognition.

For high-security needs, agencies should deploy two-factor authentication to verify visitor identities before allowing them entry, Durkovich says. That might include scanning a personal identity verification (PIV) card and entering a code.

To complement access control, agencies should also strategically install surveillance cameras to provide full coverage of both the interior and exterior of the data center, she says.

“You want cameras in key locations — in all access points around the perimeter and within the server rooms,” Durkovich says.

She recommends integrating all security systems in an operations center. A team can use a security information and event management tool such as RSA Envision or HPE ArcSight to get a centralized, real-time view of the data center’s security posture. This includes everything from access control systems and security cameras to alarm systems and sensors on the perimeter fence.

Fixed cameras provide adequate coverage, but pan-tilt-zoom cameras in large, open areas, such as lobbies and parking lots, let security personnel focus in on anything suspicious, she adds.

“You absolutely need someone onsite viewing the cameras live, so they can quickly respond to anything that doesn’t seem right,” Durkovich says.

Jonathan Timmes

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT